CVE-2025-22891 – This vulnerability in F5 BIG-IP PEM allows undi... (How to Fix)

Q: What is the severity of CVE-2025-22891?

CVE-2025-22891 has a CVSS score of 7.5 (HIGH). This vulnerability in F5 BIG-IP PEM allows undisclosed traffic to cause a denial of service by stopping the Virtual Server from processing new client connections and increasing memory usage. It affects BIG-IP systems with PEM Control Plane listener Virtual Servers configured with Diameter Endpoint profiles. Only supported software versions are affected.

📋 TL;DR

This vulnerability in F5 BIG-IP PEM allows undisclosed traffic to cause a denial of service by stopping the Virtual Server from processing new client connections and increasing memory usage. It affects BIG-IP systems with PEM Control Plane listener Virtual Servers configured with Diameter Endpoint profiles. Only supported software versions are affected.

💻 Affected Systems

Products:

F5 BIG-IP Policy Enforcement Manager (PEM)

Versions: Supported versions with PEM Control Plane listener Virtual Servers configured with Diameter Endpoint profiles

Operating Systems: F5 TMOS

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when specific configuration exists: PEM Control Plane listener Virtual Server with Diameter Endpoint profile. End-of-Technical-Support versions are not evaluated.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service for affected Virtual Servers, potentially disrupting critical network services and requiring manual intervention to restore functionality.

🟠

Likely Case

Service disruption for the affected Virtual Server, causing connection failures and degraded performance until the service is restarted.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, allowing quick detection and remediation before widespread disruption.

🌐 Internet-Facing: HIGH - Virtual Servers exposed to the internet are directly vulnerable to malicious traffic triggering the DoS condition.

🏢 Internal Only: MEDIUM - Internal systems are still vulnerable but require attacker access to internal networks.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires sending specific undisclosed traffic patterns to the vulnerable configuration.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check F5 advisory K000139778 for specific fixed versions

Vendor Advisory: https://my.f5.com/manage/s/article/K000139778

Restart Required: No

Instructions:

1. Review F5 advisory K000139778 for affected versions. 2. Upgrade to fixed versions listed in advisory. 3. No service restart required according to advisory.

🔧 Temporary Workarounds

Disable Diameter Endpoint Profile

all

Remove or disable Diameter Endpoint profile from PEM Control Plane listener Virtual Server configuration

tmsh modify ltm virtual <virtual_server_name> profiles delete { diameter-endpoint }

Implement Network Controls

all

Restrict access to affected Virtual Servers using firewall rules or network segmentation

🧯 If You Can't Patch

Implement strict network access controls to limit traffic to affected Virtual Servers
Monitor memory usage and connection rates on affected systems for early detection

🔍 How to Verify

Check if Vulnerable:

Check if BIG-IP has PEM Control Plane listener Virtual Server with Diameter Endpoint profile: tmsh list ltm virtual <name> | grep -A5 -B5 diameter-endpoint

Check Version:

tmsh show sys version

Verify Fix Applied:

Verify version is patched: tmsh show sys version | grep -i version, then compare to fixed versions in F5 advisory

📡 Detection & Monitoring

Log Indicators:

Virtual Server stop processing connections
Abnormal memory usage spikes
Connection failures in application logs

Network Indicators:

Unusual traffic patterns to Diameter endpoints
Increased connection timeouts
Service unavailability

SIEM Query:

source="bigip_logs" AND ("Virtual Server stopped" OR "memory spike" OR "connection failure")

📊 Metadata

CVE ID: CVE-2025-22891

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-772

EPSS Score: 0.34% exploit probability (56.3th percentile)

Published: February 5, 2025

Last Updated: August 6, 2025

🔗 References

https://my.f5.com/manage/s/article/K000139778 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-22891, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Big Ip Policy Enforcement Manager by F5

Big Ip Policy Enforcement Manager by F5

Big Ip Policy Enforcement Manager by F5

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Diameter Endpoint Profile

Implement Network Controls

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities